NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-12(6)Physical Control of Keys

Maintain physical control of cryptographic keys when stored information is encrypted by external service providers.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

For organizations that use external service providers (e.g., cloud service or data center providers), physical control of cryptographic keys provides additional assurance that information stored by such external providers is not subject to unauthorized disclosure or modification.

Practitioner Notes

Maintain physical control of cryptographic keys — know where they are, who has access, and ensure they cannot be copied or stolen.

Example 1: Store backup copies of critical encryption keys on encrypted USB drives locked in a fireproof safe with dual-person access control. Maintain a key custodian log showing who accessed the safe, when, and why.

Example 2: For HSM-based key storage, keep the HSM in a locked server rack inside a controlled-access server room. Require two authorized personnel to access the HSM for any key ceremony (key generation, backup, or destruction). Log all physical access with video recording.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability